Group Policy Capabilities You're Missing

Video Transcript

What we want to start with is just a brief look at some of the capabilities that you are missing using the native Toolset and really highlight where they come in and when you are going to use them. So let’s start by kicking off the Group Policy Management Console here and we will dive into any random Group Policy Object, and by random I mean the Default Domain Policy of course. Actually this is one of the first places that you will notice some of the missing capabilities. The ability to backup and recover from this console is interesting enough, I suppose. But there is no real way to schedule it to happen, and that lack of natively integrated backup and recovery actually leads to a lot of those little issues that we can run into.

For example, let’s just dive into this one. You have been in a Group Policy Object before, so I’m not going to spend a lot of time in here. But the point I am trying to make is that as an administrator anybody is capable of opening this up, going in, modifying any policies they want to. When they are done, what they are saving is going back to the Group Policy Object, to the actual file is a completed new object and it’s completely replacing what was there before. So, let’s say I go into Windows Components/Windows Remote Shell, and I’m going to allow Windows Remote Shell Access. Enable this. Hit OK. Boom, it’s Enabled, all I have to do is exit out of here and that has been saved, that is now the new effective Domain Default Policy.

If someone does not like that it is going to be difficult to figure, first of all, where it came from. It could be on any of my Group Policy Objects, it could be sitting anywhere on the Operating System. At the same time it’s going to be tough once you get inside the GPO’s, there is no way to compare things, no change management tools. There is no way to pull a prior version and see what was changed between any two versions of a GPO. There’s also no auditing; there is no evidence what-so-ever that I did it, what I changed. There’s no way to go into the event log and determine what I changed or anything else. I also do not have the ability to edit offline, as soon as I make that change, its real. New computers that are logging onto the Domain or refreshing Group Policy are going to get whatever changes I’ve made. Even if I was not finished or maybe I had not tested that or experimented with it enough. So, it can be very difficult to effectively manage Group Policy through that tool set.

Now I’ll tell you another area where people say you can make up for those things and that is with Windows PowerShell (at least, if you are Windows Server 2008 R2 because has got a wonderful Group Policy Module). You will find that on Domain Controllers but if you are on a Windows 7 computer and you install the Remote Server Administration Toolkit (RSAT) then you’ll pick the Group Policy module. Let’s take a look at what this can do for you. We’ll just look at the commands that were added by that module and see if any of these things can help make up for what is missing in the GPMC. Right at the top there is Backup-GPO, a little further down is a Restore-GPO, so we certainly could automate Backup and Restore that way. It’s possible that we could write a little PowerShell script or batch file if you prefer. Put those backup commands into that and then schedule it to run. Every hour if you would like to, but it depends on how often you think people are in messing with your GPO’s.

There is not really a compare. You’ll notice about halfway through the list we do have Get-GPPrefRegistryValue and Get-GPRegistryValue, so you certainly could write a script that got all of the values out of a Group Policy Object and then save that as a baseline. Let me show you a non Group Policy example of what I am talking about. If I run Get-Process and export that to an XML file called baseline.xml, that would create a baseline which would be a much larger script you would have to run a lot of commands to get all of the Preference Registry Values and Registry Values out of Group Policy, but let’s say you did that.

Then, let’s say, somebody made some changes. I’m demonstrating by launching and changing two processes. Now I can use PowerShells built-in diff command and I’ll have it compare the current process against what was in that baseline.xml file. Again this would be a much larger script if you were doing it in…oh turns out there are some tricks. What if only want to compare the name, this will be a much longer script but it will show me the differences between the two. Trusted Installer is not currently running but Calc and Notepad are, and they were not in the baseline. You could build this to do some comparison and do some auditing and change management. From the auditing perspective what you are still missing is who made the change. If really went through effort of writing this comparison script I could tell you the changes that were made between the prior copy of the GPO and a new copy, but I’m still not going to be able to you who did it. So, ultimately these five key Backup and Recovery, Change Control, and Change Management, Comparison, Auditing, and the ability to Edit off line are just now available to us in the native toolset but they are some of the most important capabilities that we can add to our environment and that is what I’m going to talk about in the blog post this month.